Setup

Now set the Environment Variable “SECUDIR” via Start -> Control Panel -> System -> Extended -> Environment Variables. Add a new System Variable SECUDIR with Value C:usrsapNSPDVEBMGS00sec:

Close the command line and start it again. The Command “echo %SECUDIR%” must return “C:usrsapNSPDVEBMGS00sec”. Now edit the instance profile file “C:usrsapNSPSYSprofile NSP_DVEBMGS00_hostname” and add these lines:

Now you can start your application server again with the SAP Management Console.

Create Certificate

Logon to your SAP System via SAP GUI and start Transaction STRUSTSSO2

Execute a right click on the SSL-Server and choose “create” do not replace the “*”. Enter Org. and Comp. and Country. To enter the Country you had to click on the toggle Button:

Press enter to save the settings. Press enter to close this screen which shows you the Instance PSE’s:

Now expand the SSL Server node and doubleclick on your hostname:

You will notice that the Certificate is currently self signed. When you have a Service Marketplace Account, then you can get a test certificate from http://service.sap.com/SSLTest. Export the Certificate Request by clicking on the “Create Certificate Request” button:

Copy the Request into the clipboard and paste it into the Text field on the Service Marketplace. Choose server type “SAP Web Application Server 6.20 and newer”. Copy the returned certificate and import it via the “Import Cert. Response”:

Finally go to the download Area of the SAP Trust Centre and download the “mySAP.com Test CA Certificate” and also the “SAP Server CA Certificate”. I’ve saved them to C: empsap-cryptogetCert.cer and “getCertSAP Server CA Certificate.cer”. Import it into your Certificate store:

And add it to the Certificate List:

Also add these Certificates to your local Certificate store via double click on them in the Windows Explorer. So you will not get any error Messages from your Browser that the Certificate is not valid.

Start SSL Server

If the SSL Server is not already running try to start it via SMICM:

Click on Services (Shift + F1)

Choose the Line “HTTPS”

Choose Service -> Activate

Test

Test your settings on the command line with

netstat -an

It should find one line like:

TCP 0.0.0.0:8443 0.0.0.0:0 ABHÖREN

Start BSP Application which needs HTTPS

SE80, open the BSP-Application “HTMLB_samples” and run the test by pressing F8. To force that HTTPS is used you can set this in SE80 via Menu Utilities -> Settings. In the Tab “Business Server Pages” enter Log, Application Server and Port:

Save the setting and run the application via F8. Your browser will start and

This is a great Blog! Very helpful – I don’t normally deal with basis type stuff though, and I dont understand how the domain workd with regards to the *.siteco.net…

I am running windows XP pro – what do I need to do to set up this domain? I usually log into a local admin account. Do I use my computer name or IP address? Or some ficticious domain name? If so, do I need ot edit the host files or something?

Hi Greg,Your weblog has been very helpful but i have some issues like if we activate this HTTPS on our existing WAS 6.40 , will there be any effect for the existing http links which will be used by users with in our domain(intranet).

Our requirment is 1. currently our internet users(outside our compnay domain) also using http prot only , so we would like to activate https link for internet users. if we proceed for this

will there be any problem for intranet users(with in domain) I mean will they access our site with http prot

I have seen that you got the error “Operation failed (rc=1)” when you tried to activate HTTPS. Has this issue fixed? If so, could you please let me know the procedure that you followed? Because, I am getting the same error when I tried to activate HTTPS. I am using ITS 7.0.

For instance this being one of the top results on SCN for HTTPS setup I think it may prompt many users to download the old sapcrypto while they have the newer version already built in to the kernel. Also since sapcrypto is now delivered standard on a new install with the kernel are the other steps like setting the system variable SECUDIR still required? SAP documentation is not clear on this.

If SAP now provides sapcrypto as standard should the system not come with more of the setup completed out of the box to ensure that HTTPS is implemented correctly, uniformly, and securely?

Even the documentation on help.sap.com for Netweaver 7.40 is wrong and implies you have to download sapcrypto (SAPCRYPTOLIB) instead of using the included CommonCryptoLib in the kernel: “Extract the contents of the SAP Cryptographic Library installation package.”